Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

DNS Problem

Posted on 2004-11-01
16
Medium Priority
?
396 Views
Last Modified: 2010-04-19
We have two Windows 2003 servers that function as domain controllers and DNS servers.  For DNS, they log entries for local workstations and point to our ISP for web name resolution.  About a week ago, no client can access www.yahoo.com.  Check with our ISP and they report OK (also changed my DNS settings to their servers on my local workstation and can access yahoo).  From what I understand, flushing the DNS cache on both servers should fix the problem, but I want to know (1) why this should matter if it's pointing out to the ISP for the info anyway and (2) what ramifications are of flushing the cache.

Thanks!
0
Comment
Question by:munch007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 2
  • +3
16 Comments
 
LVL 23

Expert Comment

by:rhandels
ID: 12464151
Hi,

DNS servers keep a cache of the Domain names that are resolved. If your server has a wrong DNS entry in his cache (every machine has  cache) it will falsly resolve. So the flushdns option will flush the local DNS cache the machine has.

This will ave absolutely no effect on performance or anything else on your servers. You can do this without woorying about anything. The server will start creating a new local cache by resolving the domain names....
0
 

Author Comment

by:munch007
ID: 12464248
Flushed DNS cache and still cannot get to www.yahoo.com.  Any suggestions, based upon info above?

0
 
LVL 23

Expert Comment

by:rhandels
ID: 12464283
>>Flushed DNS cache and still cannot get to<<

I allready though that this wasn't going to solve the problem...

If you go to the DNS server, are you able to go to other sites??? Browse the internet?? And what's between your server and the internet??
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 11

Expert Comment

by:cfairley
ID: 12464304
Also, when you reboot the server, this flushes the cache.

The reason this happens at time is that sites such as Yahoo have many Web servers.  If you go to the site, the DNS server will store the IP/DNS name in the cache.  If that specific server from Yahoo goes down, then the entry in the cache is wrong and will give it's clients the wrong information.  So by flushing the cache on the server will allow it to get rid of the wrong information.  
0
 
LVL 85

Expert Comment

by:oBdA
ID: 12464324
Your DNS settings are incorrect. For an AD domain to work properly, your domain members have to use your internal DNS *only*, and use the root hints or forwarders for external lookups.
The following settings should correct the issue:

*** TCP/IP-Settings ***
* On your first DC/DNS, make sure the only DNS listed in the TCP/IP properties is itself.
* On your second DC, let it point to the first DC as primary, to itself as secondary.
* On your domain members, enter both DCs as primary and secondary DNS.
* Do NOT enter your ISP's DNS server in the TCP/IP settings on any domain member. All DNS resolution needs to be done by your internal DNS servers *only*.

*** DNS Server Settings ***
* Delete the root zone (if present) in your DNS servers' forward lookup zones (the single dot, "."), to enable external lookups.
* Right-click your forward and reverse lookup zones, go to Properties, and make sure that Dynamic Updates are enabled.
* In the properties page of your DNS servers, configure forwarders to point to your ISP's DNS. The forwarders section is the *only* entry in your network where your ISP's DNS should be listed.
* It's recommended (but not necessary) to set your zones to Active Directory integrated (this can be done in the properties of the zones as well).

Once you've checked this, open a command prompt and enter "ipconfig /registerdns", then stop and re-start the netlogon service. Check if the SRV records have been created (see link below).
For further troubleshooting, you can use dcdiag.exe and netdiag.exe to check your system for errors in the domain setup.

Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS
http://support.microsoft.com/?kbid=291382

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003
http://support.microsoft.com/?kbid=825036

HOW TO: Configure DNS for Internet Access in Windows Server 2003
http://support.microsoft.com/?kbid=323380

HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows Server 2003
http://support.microsoft.com/?kbid=816567

How to Verify the Creation of SRV Records for a Domain Controller
http://support.microsoft.com/?kbid=241515

How Domain Controllers Are Located in Windows
http://support.microsoft.com/?kbid=247811

How Domain Controllers Are Located in Windows XP
http://support.microsoft.com/?kbid=314861

SRV Resource Records May Not Be Created on Domain Controller
http://support.microsoft.com/?kbid=239897
0
 

Author Comment

by:munch007
ID: 12464385
I can browse to any website (as far as I can tell) on the DNS server, clients, etc.  Cisco PIX firewall is between DNS server and internet.
0
 

Author Comment

by:munch007
ID: 12464576
Checked all settings mentioned by oBdA.  All are correct, ISP's servers only appear on the forwarders tab.  I just temp changed my local DNS to my ISP to test.
0
 
LVL 11

Expert Comment

by:WeHe
ID: 12466299
how do they connect to www.yahoo.com ? NAT/Routed/Proxy?
what was the error messages, when not reaching www.yahoo.com?
0
 

Author Comment

by:munch007
ID: 12466422
A user's internet permission is granted thru our firewall...once I permit the IP in the firewall they can connect.  We also have a proxy server, but users cannot connect to yahoo thru it either.  Error is "cannot find yahoo.com"  Cannot ping the site either.
0
 
LVL 11

Expert Comment

by:WeHe
ID: 12466693
btw, for caching reasons, one dns should forward to the second. only the second should forward to internet.
no one of your dns servers has a "." zone?
did you update the root hints file sometimes?
which dns servers are your dc's using?
0
 
LVL 23

Accepted Solution

by:
rhandels earned 1000 total points
ID: 12470603
Hi,

There seems to be a compatability problem with Windows Server 2003 and PIX firewalls that could cause these kind of conclifts.. Try looking ath this other thread, it might help

http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21138215.html

I will paste the anser to that question here... It a copy from another post (just as a small reminder)..



This is a known compatibility problem between Windows Server 2003's DNS and some firewalls, usually PIX.

See the following articles for details:

http://www.jsiinc.com/SUBN/tip6900/rh6967.htm
http://support.microsoft.com/default.aspx?scid=kb;en-us;828263
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_imp_EDNSsupport.asp

Hope that helps!!

Eli


Specially the second link is interesting.... Hope it helps..
0
 

Author Comment

by:munch007
ID: 12472886
Thanks!
0
 
LVL 23

Expert Comment

by:rhandels
ID: 12472902
So it did solve your problem??? Glad to here..
0
 

Author Comment

by:munch007
ID: 12472972
Worked like a champ!  I appreciate the help
0
 
LVL 23

Expert Comment

by:rhandels
ID: 12472986
Ur welcome...
0
 

Expert Comment

by:SteveIN
ID: 12863689
Thanks so much for this solution!!!! It solved my problem too. I was having trouble with people getting to sites like CNN.com and Ebay.com, and  it was just driving me mad and causing me to question everything I knew about setting up DNS. Thanks again! Here is also another link that has a solution about how to tell Windows 2003 to use a 512-byte UDP packet without totally disabling all the EDNS0 features.

http://homepages.tesco.net/~J.deBoynePollard/FGA/dns-edns0-and-firewalls.html

0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question